The Call Detail Record Postgres logging engine (cdr_pgsql) does not correctly escape the ANI and DNIS arguments before using them in SQL statements (CVE-2007-6170).

When using database-based registrations ("realtime") and host-based authentication, Asterisk does not check the IP address when the username is correct and there is no password provided (CVE-2007-6430).

The SIP channel driver does not correctly determine if authentication is required (CVE-2008-1332).

Impact

Remote authenticated attackers could send specially crafted data to Asterisk to execute arbitrary SQL commands and compromise the administrative database. Remote unauthenticated attackers could bypass authentication using a valid username to hijack other user's sessions, and establish sessions on the SIP channel without authentication.